On Tue, Jun 2, 2015, at 11:19, A.M. Kuchling wrote: > Someone ran an experiment looking at the SSH keys used on GitHub > (public keys are accessible through the API): > > https://blog.benjojo.co.uk/post/auditing-github-users-keys > > Excerpt: > > I remembered back to the May 2008 Debian OpenSSH bug, where > the randomness source was compromised to the point where the > system could only generate one of 32k keys in a set. > > I used g0tmi1k’s set of keys to compare against what I had in > my database, and found a very large amount of users who are > still using vulnerable keys, and even worse, have commit > access to some really large and wide projects including: > > ... > Crypto libraries to Python > Django > Python’s core > ... > > CPython is not officially on github, so committing evil stuff to the > github mirror may not matter very much, but these users may have the > same key configured for hg.python.org. Should we check everyone's SSH > keys?
I believe Martin checked everyone's keys when that vulnerability was announced. He certainly emailed me anyway. Not that it wouldn't hurt to do again. Also, everyone should use ed25519 keys now. :) _______________________________________________ python-committers mailing list python-committers@python.org https://mail.python.org/mailman/listinfo/python-committers
